Incident 02-19-02 19:15pm


Probes to tcp:21 are pretty common: W4r3z k1ddi3s...

Translation: warez kiddies, kids looking for unsecured ftp servers to set up storage for pirated software, mp3's, games...

This one is kinda odd: the source netblock is maintained by Rackspace, the domain name is registered in Venezuela, and at least when I http'ed, ftp'ed or tracerouted to the IP, the host itself doesn't seem to be up...

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Feb 19 20:15:16 greatwall snort: [1:0:0] TCP to 21 ftp {TCP}
 209.61.158.226:65503 -> 12.82.132.202:21

Feb 19 20:15:16 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 209.61.158.226:65503 12.82.132.202:21
 L=40 S=0x00 I=2506 F=0x0000 T=200 SYN (#64)

Tue Feb 19 20:15:16 2002 209.61.158.226: UNKNOWN [527:200:0:0:-1:0:1:40].
 209.61.158.226:65503 -> 12.82.132.202:21 (timestamp: 200844623 @1014178516)

Here's what snort actually saw:

02/19-20:15:16.358436 209.61.158.226:65503 -> 12.82.132.202:21
TCP TTL:200 TOS:0x0 ID:2506 IpLen:20 DgmLen:40
******S* Seq: 0x1C92736  Ack: 0x0  Win: 0x20F  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Apparently Rackspace maintains the netblock:

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Rackspace.com (NETBLK-RSPC-NET-2)
   112 East Pecan St.
   San Antonio, TX 78205
   US    

Netname: RSPC-NET-2
   Netblock: 209.61.128.0 - 209.61.191.255
   Maintainer: RSPC    

Coordinator:
      Rackspace, com  (ZR9-ARIN)  hostmaster@rackspace.com
      210-892-4000    

Domain System inverse mapping provided by: 
   NS.RACKSPACE.COM207.235.16.2
   NS2.RACKSPACE.COM207.71.44.121

host give us the host name, thus:

[toot@sparky /storage/snort/old_snorts/021802]# host 209.61.158.226

226.158.61.209.in-addr.arpa. domain name pointer freenetca.com.

And whois for freenetca.com:

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Registrant:
FreeNet (FREENETCA-DOM)
   Torre La Previsora, Piso 19, Oficina
   Sureste, Plaza Venezuela
   Caracas, DF 1050
   VE    

Domain Name: FREENETCA.COM    

Administrative Contact, Technical Contact, Billing Contact:
      Naya, Ricardo  (RNN143)  naya@FREENETCA.COM
      Freenet, C.A.
      Torre La Previsora, Piso 19, Oficina
      Sureste, Plaza Venezuela
      Caracas, DF 1050
      VE
      582127941277    

   Record last updated on 25-Jul-2001.
   Record expires on 21-Jul-2003.
   Record created on 21-Jul-1999.
   Database last updated on 19-Feb-2002 12:50:00 EST.    

Domain servers in listed order: 
   NS1.FREENETCA.COM209.61.158.226
   NS2.FREENETCA.COM209.61.157.154

dig for freenetca.com, just as a back check:

[toot@sparky /storage/snort/old_snorts/021802]# dig @greatwall freenetca.com 

; <<>> DiG 9.1.0 <<>> @greatwall freenetca.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40990
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;freenetca.com.			IN	A

;; ANSWER SECTION:
freenetca.com.		86400	IN	A	209.61.158.226

;; AUTHORITY SECTION:
freenetca.com.		86400	IN	NS	ns1.freenetca.com.
freenetca.com.		86400	IN	NS	ns2.freenetca.com.

;; ADDITIONAL SECTION:
ns1.freenetca.com.	86400	IN	A	209.61.158.226
ns2.freenetca.com.	86400	IN	A	209.61.157.154

;; Query time: 4070 msec
;; SERVER: 192.168.1.2#53(greatwall)
;; WHEN: Tue Feb 19 21:47:28 2002
;; MSG SIZE  rcvd: 115

http to either the IP address or the hostname returns no response; what about traceroute?

Is this host even up? Or, at least is it up right *now*?

[toot@sparky /storage/snort/old_snorts/021802]# traceroute 209.61.158.226
traceroute to 209.61.158.226 (209.61.158.226), 30 hops max, 38 byte packets
 1  greatwall                    (192.168.1.2)     3.941 ms    0.405 ms    2.282 ms
 2  165.238.131.55            (165.238.131.55)   138.508 ms  124.619 ms  129.843 ms
 3  165.238.131.49            (165.238.131.49)   129.998 ms  123.349 ms  129.867 ms
 4  gbr1-p58.st6wa.ip.att.net (12.122.253.237)   129.935 ms  125.902 ms  129.846 ms
 5  gbr3-p70.st6wa.ip.att.net   (12.122.5.157)   129.960 ms  126.334 ms  129.614 ms
 6  gbr4-p10.sffca.ip.att.net    (12.122.2.61)   149.659 ms  145.866 ms  239.602 ms
 7  gbr3-p20.la2ca.ip.att.net    (12.122.2.70)   159.612 ms  156.399 ms  159.621 ms
 8  gbr3-p30.dlstx.ip.att.net    (12.122.3.69)   199.660 ms  196.519 ms  189.836 ms
 9  gbr4-p60.dlstx.ip.att.net   (12.122.1.138)   180.007 ms  196.381 ms  199.767 ms
10  gbr1-p80.auttx.ip.att.net   (12.122.2.110)   199.857 ms  197.163 ms  199.864 ms
11  gar1-p360.auttx.ip.att.net (12.123.133.21)   199.951 ms  196.048 ms  189.881 ms
12  12.124.219.58              (12.124.219.58)   199.921 ms  197.390 ms  199.803 ms
13  vl131.aggr2.sat.rackspace.com (64.39.2.50)   199.952 ms  196.718 ms  199.845 ms
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  *

hmm..

Inconclusive: Rackspace could be blocking traceroutes; the last host name is not clearly identifiable as to it's purpose...


jsage@finchhaven.com
Last modified: Wed Feb 20 02:57:19 2002